The key to security for VoltDB applications is the users and roles defined in the schema and deployment files. You define users in the deployment file and roles in the schema.
This split is deliberate because it allows you to define the overall security structure globally in the schema, assigning permissions to generic roles (such as admin, dbuser, apps, and so on). You then define specific users and assign them to the generic roles as part of the deployment. This way you can create one configuration (including cluster information and users) for development and testing, then move the application catalog to a different configuration and set of users for production by changing only one file: the deployment file.
You define users within the <users> ... </users> tag set in the deployment file. The syntax for defining users is as follows.
<deployment> <users> <user name="user-name" password="password-string" roles="role-name[,...]" /> [ ... ] </users> ... </deployment>
Include a <user> tag for every username/password pair you want to define.
Then within the schema you define the roles the users can belong to. You define roles with the CREATE ROLE statement.
CREATE ROLE role-name;
You specify which roles a user belongs to as part of the user definition in the deployment file using the roles attribute to the <user> tag. For example, the following code defines three users, assigning operator and developer to the admin role and developer and clientapp to the dbuser role. When a user is assigned to more than one role, you specify the role names as a comma-delimited list.
<deployment> <users> <user name="operator" password="mech" roles="admin" /> <user name="developer" password="tech" roles="admin,dbuser" /> <user name="clientapp" password="xyzzy" roles="dbuser" /> </users> </deployment>
Two important notes concerning the assignment of users to roles:
Users must be assigned at least one role, or else they have no permissions. (Permissions are assigned by role.)
There must be a corresponding role defined in the schema for any roles listed in the deployment file.